You know about malware, ransomware, spyware. But there’s an increasing concern about something called stalkerware, a creepy breed of apps that allow someone else to digitally monitor you. What is stalkerware all about, and how can you recognize it? Who plants it and why, and who are its victims? Joining episode 45 of Cyber Security Sauna are Eva Galperin, director of cyber security at the Electronic Frontier Foundation who also helped found the Coalition Against Stalkerware, and Anthony Melgarejo, threat researcher in F-Secure’s Tactical Defense Unit.
Janne: Welcome to both of you.
Eva: Thank you so much.
Anthony: Thank you. Glad to be here.
So Eva, tell us about yourself. How did you get into fighting stalkerware?
Eva: Well, I was a normal sort of security researcher, mostly studying APTs that were targeting journalists and activists for many years. And then it turned out that the person with whom I had been doing the majority of my APT research was outed as a serial rapist. And I was really, really angry. And so one of the things that I did was I read an interview with one of his victims, and what really struck me in that interview was how scared she was. She was really frightened, and she hadn’t come forward earlier because she was worried about stalkerware. She was worried that this guy was a hacker and he had threatened to compromise her devices. So she felt that her devices weren’t safe, and that she would not be physically safe.
I got so mad that I tweeted, a thing which happens a lot, and what I tweeted a couple years ago was that if you are a woman who has been sexually abused by a hacker, and you are concerned about your devices, that you could reach out to me and I would make sure that you would get a full forensic workup of your device.
Ten thousand retweets later, I had involuntarily started a project.
Project slash landslide.
Eva: Yes. I was getting between zero and up to 30 messages a day from different people. I still get messages from people who are in really alarming situations. And I spent a year and a half just working with the people on the ground and trying to get a good feel for what their problem really was.
Because one of the things that security researchers are often wrong about is what the problem is. Frequently we look at some group that we want to protect and we say “If only you do blah blah blah and blah blah blah, then everything would be fixed.” It turns out, often, that there are reasons that people behave the way that they do.
So I discovered that mostly we were looking at not device compromise, but at account compromise. That most of what people think of as device compromise, if they’re nontechnical, is in fact account compromise. And I thought, “Well, this is great news, because we have solutions for account compromise.” You tell everybody to use a password manager, you have them use unique and strong passwords for everything, use the highest level of 2FA that’s available and that they’re comfortable with, and then you’ve got your accounts fairly well locked down.
But, that still left some cases where the device really had been compromised, and so the accounts were getting compromised over and over and over again. And that was stalkerware, which is commercially available online to anybody to install on another person’s device in order to track them.
Often it’s sold as a way of catching your cheating spouse, or as a way of tracking your children, or some other safety or security framework, but it is definitely used by abusers as part of their abuse in order to track where people are and what they’re doing and who they’re talking to.
Oh, this is weird. I can sort of get where a parent would want to know where their kid is. Maybe, let’s say I’m okay with that. I haven’t really thought about this, but let’s say I’m okay with that. But what I understand stalkerware does is get access to messages and phone calls and stuff like that. That seems awfully intrusive.
Eva: Well, different stalkerware has different capabilities. As probably anyone who’s listening to this podcast understands, root is root. And so capabilities come after root. And the capabilities are not actually the most frightening thing about the stalkerware.
For me the most frightening thing about stalkerware is that it is installed without the knowledge of the person whose device it is and it’s designed to hide. It’s designed to convince the person who’s being spied on that they’re not being spied on. So they cannot give their consent. And I find that really troublesome.
For example, even if you want to look after your children, even if you want to know where your kids are with the phone that you bought for them…
Maybe let them know.
Eva: Yeah. Let them know. Let them know that “This is the phone that I bought for you, this is the software that I have installed on this device, these are its capabilities, and I do this in order to look after you.” Do some parenting. If you’re hiding, that’s abusive.
Yeah, and there are people out there making this software, selling this software that’s designed to do these things. That’s a little creepy.
Eva: It is absolutely creepy that there are people who are selling this software. I am extremely careful about how we go after people like this, because I am a security researcher and also I work for the Electronic Frontier Foundation. We are part of the organization that got the ruling in the United States that code is protected by the First Amendment, that code is speech. We are very concerned with protecting the rights of security researchers, and I want people to write the code they want. I think that that’s okay. But when you start selling code that is specifically designed for abuse, then I’ve got problems.
Yeah. So where did this stuff come from? What’s the history?
Eva: Well, there are about half a dozen companies that make this stuff. Probably even less, and in places ranging from the United States, to the Netherlands, I think I’ve seen some Israeli companies, some Indian companies. And usually what happens is there are just a few companies and then they rename their product all the time, or they’re constantly reskinning their product. Or they are selling the rights to reskin their product to someone else. So there are half a dozen products but there are thousands of names.
Okay. But was there ever a non-creepy purpose for this software?
Eva: The companies that sell it will tell you that installing the software in order to track your children, or your spouse, or anything else, is not creepy, that it’s perfectly legitimate, you know, creepy is in the eye of the beholder.
But the place where I have chosen to draw the creepiness line is consent. If you need to fool someone into thinking that the software is not on their device, so that they can’t find it and they can’t remove it, then whatever tracking you’re doing, no matter how good you think you are, no matter how not creepy you think you are, no matter how much you think your spouse might be cheating on you, it’s not okay.
Anthony: The Coalition now is starting to try to push the developers to always constantly ask for consent whenever the device is being tracked, so that the user is aware periodically that yeah, there’s your parent or a partner monitoring you. Also, there are some developers who build these applications for anti-theft solutions. For example, if your phone got stolen, you are able to track where it is. So that is not creepy, but of course if someone abuses that capability, then yeah, that becomes creepy.
So how exactly does stalkerware work? How do you get this onto other people’s phones?
Anthony: Usually stalkerware is installed to the target device by the abusive partner by gaining physical access to it. This is quite common since people in intimate relationships share passwords, and they know each other’s history, right? Which makes it easier to guess the passwords or the security reset questions. Or they can just simply look over the shoulder of their victim when they are unlocking their device or entering their passwords. It is also possible that the abuser can just trick the victim by saying that “Hey, install this app. This is a cool app, it is important.” But it is actually stalkerware.
So it’s physical access to the device, or tricking somebody into clicking a link. So basically just like how any other malware gets on a device.
Eva: Well, except with an attacker that already knows your username and password most of the time, and has physical access to your device.
Anthony: Malware usually is installed remotely or by social engineering. So that is the main difference with stalkerware, because you are installing it to someone you are close to.
So is that the typical case for stalkerware? So it’s somebody who a person who is romantically involved with. Is that the typical victim of this sort of crime?
Anthony: That is the common scenario. But of course, there are some instances, like Eva’s story earlier, there was a sexual predator who somehow was able to gain access to those phones and install these applications.
Yeah. So how can you spot a stalkerware app? We talked about how some of these apps try to hide a little bit, but to what extent are they able to hide their presence on a device?
Anthony: Once they are installed they could have icons or names that look like utility or system apps. There are various ways to check if your phone has stalkerware, and most of them can be simply checking the settings. For example, in Android you can check the device admin apps. These apps have more permissions that allow the monitoring capabilities of stalkerware. Just make sure that everything in that list, you remember that you have installed it. So if there’s something suspicious, that is a flag that something wrong is going on.
And speaking of permissions, the second thing you can check is if an application is named, I don’t know, Battery Saver, Update Service, that has permission to your calls, messages, camera and microphone, then that is not good. You will also notice that there are some changes in your device’s behavior or resource usage, for example the phone battery is draining faster, the data usage has increased, and it’s becoming a bit slower.
What about iPhone users? The iPhone infrastructure is more of a walled garden, so can apps do these kinds of things in iPhones as well?
Eva: The most common type of stalkerware that we see on iPhones is stalkerware that either requires that the device be jailbroken, which often requires, depending on the current state of jailbreaking, physical access to the device. But even if your device is not jailbroken, the thing I see most commonly is an app that will regularly scrape the iCloud backups of the phone, so once every 24 hours it will pull everything down. Which gives you less real time information about what the person is doing, but it’s still very intrusive.
Does that mean that I shouldn’t use iCloud backups?
Eva: It depends.
Anthony: You just need to be vigilant with your apps installed.
Eva: Yeah. No, the worst thing about asking any security engineer questions is that everything starts with sighing…and then looking off into the distance…and then going…”It depends.” (Laughing)
Certainly if your iCloud backups are suddenly turned on and you didn’t turn them on, that is very suspicious.
Yeah. My girlfriend just got a new iPhone and she wanted me to help her set it up. And so now I have my thumbprint on her phone, and she asked me to set up all the backups and everything, and I’m like, “No, you shouldn’t have done any of this! That’s a horrible idea!”
Anthony: Let her listen to this podcast afterwards.
Ah, no, she doesn’t listen to my podcasts.
Eva: Well, there’s your problem! (Laughing)
It is extremely common for partners to trust one another with access to their devices, with access to their passwords, with knowledge of their security questions. And the person that you trust right now is not always going to be the person that you trust. Abusive people don’t show up on Day 1 with a big sign that says, “Hi, I’m going to abuse you.” They often are in very complicated romantic relationships, and that is part of what makes it really difficult to disentangle their lives and also to disentangle their privacy and create a space that is entirely theirs where they feel safe.
Do we know what kind of people these are? Is there a profile of an abuser that fits somebody who would use stalkerware?
Eva: I would say of the people that I have talked to who are victims of abuse, that about two thirds of the perpetrators that I deal with are men, and a third are women. So I don’t want to leave people with the impression that this is some sort of man-only problem. I have seen women abuse men, I have seen men abuse men, I have seen women abuse women, I have seen people abuse their brothers and sisters and parents, I have seen parents abuse their children, so all kinds of combinations are possible.
But what’s really important to remember is that this kind of abuse is insidious. It’s really difficult to see from the outside. And the kind of people who engage in this kind of abuse, usually they will tell you that they’re just really concerned about where you are and what you’re doing and where you’re going, and that they’re just here to help you. So it can get really complicated.
Okay. Let’s say I’m convinced that there’s a stalkerware app on my phone. How does one remove that? Is it as simple as uninstalling the app?
Anthony: Most stalkerware may be uninstalled by removing them from the device admin apps list, and then uninstalling them eventually from your phone. But some may require a factory reset, those more persistent ones. In some cases, however, removing the stalkerware right away may not be the safest option because unlike malware, stalkerware is usually installed by someone who is close to the victim. And removing it will only notify whoever installed it, and it might cause an escalation of violence from the abuser.
All right, that’s a good point.
Anthony: If you think that is the case actually, then you should definitely go for maybe a burner phone, go to a safe place and contact law enforcement immediately and also contact organizations that work with victims and domestic violence.
What about you, Eva? Do you have any advice for somebody who thinks they’re being spied on through their phone?
Eva: Well, usually the first thing that I do is I try to disambiguate device compromise from account compromise. So the first thing I do is I try to get them to lock down all of their accounts, and to see whether or not the problem persists.
Often the best way to frame it for victims of this kind of abuse is to explain that you don’t necessarily know what’s wrong. You’re like a doctor or a detective. So what you’re going to do is you’re going to try to eliminate the most common thing, and then you’re going to see whether or not it is the next most common thing, and the next most common thing.
Once I’ve eliminated account compromise, like the same account is getting compromised over and over again after you’ve changed the password and turned on 2FA, then I start looking for malware on the device.
That makes sense. Is there any kind of self-help questionnaire, or like a checklist, like “Do these things first before calling Eva”?
Eva: I would recommend taking a look at a couple of different things. The first is Operation Safe Escape, which has a wonderful page with all kinds of resources on it that I really like. And the Coalition Against Stalkerware also has a web page. We are at stopstalkerware.org, and there are a bunch of resources there.
So let’s talk about the Coalition Against Stalkerware. What does the Coalition do? How in practice does it fight against stalkerware?
Eva: Well, the Coalition is a group of academics and security researchers and security companies, as well as security practioners who work directly with victims of domestic abuse, and we do a couple of different things.
The first thing we did was we came up with a standard definition of stalkerware, so that people would know it when they see it, and that’s really based around consent, especially around informed consent which is constant. That’s something that people hadn’t really spent a lot of time thinking about before.
Then, we are also working on information sharing between security companies, so that antivirus tools will be better at recognizing stalkerware when it’s installed on your machine. Some research that I did a couple years ago showed that basically, AV companies were not very good at recognizing stalkerware, and particularly bad at recognizing the latest versions of stalkerware and mobile stalkerware.
So mostly we’re doing information sharing, we have this shared definition that we’re working from, and then our next steps have to do with outreach to law enforcement and training of organizations on the ground.
Wow, I’m not sure I like the sound of security products not catching this stuff. Anthony, please tell me ours does.
Anthony: Honestly, before Eva actually let this out in public, it was really a bad job for all security vendors that we were not really paying attention. But thanks Eva for raising awareness, and now we have seen the numbers going up, that we are really recognizing these applications.
Okay, so we’re doing a better job.
Eva: AV Comparatives did a study based on tests they ran late last year, that they published this spring, which is very informative. But I would actually like to see more tests.
Anthony: Yes. Well, AV Comparatives, actually, they’ve been doing this I think every year, and they are reporting how much the security vendors have improved. And I agree with Eva, hopefully more and more testing organizations will join this.
All right. Well, F-Secure obviously is a part of the Coalition Against Stalkerware, but what are we contributing to this coalition?
Anthony: We contribute mostly by providing technical information and statistics to the Coalition. The Coalition also has a sample sharing platform, and for that platform, we started researching for better identification of stalkerware in the wild, so that we’ll be able to add high-value samples in that platform. We also raise awareness about stalkerware by analyzing samples, publishing writeups, and of course like this, doing some podcasts.
Do we know where the situation is going? Is it getting worse or better?
Eva: We’re not sure.
Anthony: Yeah, because before, we don’t have that much data. But since this has been a well-known issue, around October 2019, we’ve seen the monthly average of stalkerware detections has gone up by 45 times in our telemetry, so that’s a big jump.
Eva: Probably not a function of there being more stalkerware out there. This is probably a function of just being better at detecting the stalkerware that already exists.
Eva: Once we reach a point where we’re pretty good at detecting the stalkerware that already exists, then we can make some conclusions about whether or not the usage of stalkerware is going up or down.
Yeah, okay. So even though they might be commercial software, we can’t just go back and see like, when was the website for this company launched? We don’t know when they started.
Eva: We can, but chances are that that company is just a rebranded version of some other company, which is a rebranded version of some other company.
We can really only infer how big the market is based on very limited data. For example, in summer of 2018, there was a company that found four different stalkerware apps in the Google Play store that had made it past Google. And Google then went on and identified four more, so there were eight different stalkerware apps in the Google Play store. And if I recall correctly, at the time when the products were taken down, they had been downloaded something like 140,000 times.
So that gives you some idea of how many people are downloading these products. And presumably a large number of them are downloading these products with malicious intent.
Yeah. So should the app stores be doing more to stop this?
Eva: Oh yes, absolutely. The good news is that often these apps are already against the app stores’ rules, they just sneak by. So the app stores just need to do a better job of enforcing the rules they already have.
Anthony: Yeah. And making it worse, actually, when these apps get banned or reported, they just simply rename or change their skins and then they try to go back into the Play store.
Oh, okay. So we think that a lot of these apps actually do get downloaded from legitimate app stores, and not from some dodgy weird Android stores?
Anthony: Yeah, there are some. But most of the dangerous ones, I would say, have their own websites because they are really known and they can’t get in anymore because they’ve become notorious.
So we don’t think that trying to change legislation in some of these countries where these companies operate, for example, might be an effective thing to do?
Eva: I don’t think it’s very likely. One of the things that I’m very skeptical of is when people look at a problem and they say, “There oughta be a law.” Because one of the first things that I did was I looked over the laws that already existed, and I found a bunch of laws, both that the companies may have been breaking, and that were being broken by the people who were downloading the apps, who were buying the apps, who were using the apps. And I have a whole legal analysis of this, thanks to my army of angry attack lawyers.
So the problem is not that we don’t have laws. The problem is we’re not enforcing the laws we already have.
Yeah, and we’re trying to stop criminal behavior by enforcing laws, which, you know, is an oxymoron.
So okay, Eva. Let’s say there are people out there, our listeners, who are very tech-savvy people. Is there something they can do to help if they are so inclined?
Eva: Well, there are a couple of things they can do. The latest ask that I’m aware of actually came from Operation Safe Escape. They were looking for someone to help them draft some security documents. So I strongly recommend reaching out to Operation Safe Escape if you have some experience in that area.
If you are working at an AV company or some other security company, now would be a good time to tell them about the Coalition Against Stalkerware, so that hopefully they can join us and give us their sweet, sweet samples.
And furthermore, if you go to the Coalition Against Stalkerware website, you can see a lot of the organizations that we work with on the ground, and they always need volunteers, especially volunteers with technical savvy.
Well, there you have it. Thanks, guys, for being on the podcast today.
Eva: Thank you.
Anthony: Thank you.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.